HashPass Desktop

In my previous post I introduced the android app HashPass which I made and briefly discussed that there was a command line version available for the desktop. This post is a follow up explaining the modes of operation of the command line version.

Basically it was made to supplement the android app. It has two modes of operation and they are as follows:

method 1: The text is specified inline

python hashPass.py algorithm text_to_be_hashed

tpa@tortoise:~$ python hashPass.py md5 test
098f6bcd4621d373cade4e832627b4f6
tpa@tortoise:~$

method 2: The text is specified at runtime

python hashPass.py algorithm

tpa@tortoise:~$ python hashPass.py md5
Enter the text to be hashed and press enter.
test
098f6bcd4621d373cade4e832627b4f6
tpa@tortoise:~$

The reason there are two methods is that if you normally use the first one listed above the text or password in this case would be saved in your shell history file so the second one is the recommended and safer method to use. The first method is there is case users wishes to hash any text but was mainly added so it can be run inside other scripts . Lets say you wish to hash a lot of passwords and you want to save the output to some file. Assuming pass is the password you wanted to hash, you would save the following to a file

#!/usr/bin/env bash

#sample script to demonstrate the first method of hashPass

printf “pass for site 1: ” ; python ~/bin/hashPass.py md5 pass
printf “pass for site 2: ” ; python ~/bin/hashPass.py sha1 pass
printf “pass for site 3: ” ; python ~/bin/hashPass.py sha256 pass
printf “pass for site 4: ” ; python ~/bin/hashPass.py sha512 pass

Then change the permissions of the file with chmod u+x filename.sh

The output produces

pass for site 1: 1a1dc91c907325c69271ddf0c944bc72
pass for site 2: 9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684
pass for site 3: d74ff0ee8da3b9806b18c877dbf29bbde50b5bd8e4dad7a3a725000feb82e8f1
pass for site 4: 5b722b307fce6c944905d132691d5e4a2214b7fe92b738920eb3fce3a90420a19511c3010a0e7712b
054daef5b57bad59ecbd93b3280f210578f547f4aed4d25

The algorithms are the same one available in the android application. MD5 , SHA1, SHA256 & SHA512.

Installation

Windows

Download and install python from http://www.python.org/download

I tested it with python 2.7 on windows xp

Once installed open up a command prompt.

You then add python to the PATH with

PATH C:\Python27;%PATH%

If you run into trouble in this step see http://docs.python.org/faq/windows#how-do-i-run-a-python-program-under-windows . This way only temporarily adds python to the path

To keep the path in memory right click my computer > properties > advanced > environment Variables and then add ;C:\Python27 on to the PATH variable
like so

MyComputer Properties

MyComputer Properties

Environment Variables

Environment Variables

Add Python to Path

Add Python to Path

Now you can navigate to the directory where the script is with cd. For this example we will assume it is on the desktop

example cd Desktop

Now to run the script we can use the same methods listed above, using the second method we get the same result

python hashPass.py md5
Enter the text to be hashed and press enter.
test
098f6bcd4621d373cade4e832627b4f6

— Linux/unix

Linux users should have python and hashlib installed if no they will be in your distro’s repository.

—  Mac OSX

Like linux python should be installed by default in mac. Instructions are the same to run it in mac as they are in linux.

Hope you find the Hash Pass mobile and desktop versions useful.

Advertisements

Announcing HashPass

HashPass Icon

HashPass Icon

HashPass allows a user to input a password or any text and generate a hash from it.

Generally a secure password is hard to remember so users tend to opt for easy to remember passwords. These passwords are also easy to crack. This app aims to address that by allowing the user to use hashes in place of their passwords on various sites.

Example: a user may have a password such as “computer” (a bad one) that would be easily cracked in a dictionary attack.

Where as the md5 hash generated from computer is
df53ca268240ca76670c8566ee54568a which is not easy to guess or dictionary attack.

There are currently four algorithms available in the app. MD5 , SHA1 , SHA256 & SHA512.

This allows the user to use the same password for four different sites and a different hash for each.

For your banking or email you could use the SHA512 hash of your chosen password . In the computer example the hash is

922d076069b1df893fc010b7a6d2aa55c7c4c5d194f163394a4c864de5754131c17bfa94ac166

7f56b5181cc7eca5dc3a09444caee6eecf16114926bb29f7e79

The hashes are automatically copied to the clipboard for convenience. This allows you to paste it into an app such as facebook or an email app.

This slideshow requires JavaScript.

If a database is compromised which is insecurely storing the passwords and your passwords (your generated hash) was obtained . The other three sites (with different hashing algorithms) would be safe.

Using hashes as passwords also makes an attack more computationally expensive as each string (sequence of characters) has to be hashed first before submitting it as the password. Also that factor is multiplied by 4 as the attacker does not know which algorithm you may have chosen.

You could also paste the output of the initial hash as the input with different functions for more options. Just remember the algorithms and the order you chose if you do.

I have also made an open sourced command line desktop version which is written in python and can be downloaded from https://minus.com/mBDxG4GLu/
This app respects users privacy and no data is recorded about the user. The Internet permission is required to serve the ads.